Regulations, Audit & Compliance

Here’s a million dollar question (which could quite literally be a million dollar question, given the potential fines in play): How fast is your organization able to respond after a personal data breach? The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, requires that organizations report unauthorized access to personal data within 72 hours of detection.

If you’re thinking that seems like a tight window—you’re right. According to a recent industry study, only 10 percent of breached organizations were able to notify regulators within 72 hours of discovering a breach. Moreover, 38 percent reported notification took two to five months to complete.

Beyond this initial notification, GDPR Article 33 also requires that organizations describe and document the following information:

The nature of the personal data breach, the categories and approximate number of data subjects impacted

Likely consequences

Measures taken or proposed to be taken by the controller to address the personal data breach

The sobering truth is that attackers are likely hiding inside your environment right now, undetected, navigating the network in search of the right pathway to access sensitive data. To rapidly and accurately report on a breach—or, better yet, detect a threat before a breach occurs—you need robust operational controls. A strong Privileged Account Security strategy is critical to such control.

Detect and Block Threats Early in the Attack Cycle

Security tools and solutions are continuously developed to protect organizations from existing vulnerabilities and threats. But, attackers are often a step ahead, plotting new, sophisticated ways to infiltrate organizations.That’s why it’s critical to adopt an attacker’s mindset when bolstering your security practices in preparation for GDPR. To do so, it’s important to detect and block threats early in the attack cycle. Consider these four steps:

First look for exposed privileged accounts. Do you have a solution in place for exposed credentials and unconstrained delegation alerts? Unconstrained delegation gives a service the ability to impersonate a user in another service. This presents a security impact. When unconstrained delegation has been enabled, as the privileged user connects to your machine, their ticket-granting-ticket (TGT) will be stored in memory, which can be replayed to move laterally and compromise a domain controller.

Identify controls that can bypass privileged account security. Privileged accounts are a significant vulnerability when unsecured, and they exist across every organization. Can you identify how many privileged accounts and service accounts you have under management? Are they secured? Is there a solution in place that can detect suspected credential theft or rotate credentials and passwords to prevent attackers from escalating privileges and navigating their environment?

Identify attacks known to bypass authentication. Do you have a way of detecting attacks that exploit Kerberos authentication? These attacks can be very damaging—some of which provide significant, unrestricted access and unlimited time for reconnaissance. Are you considering attacks that are launched deep within the network?

Detect the abuse of privileged access. Can you clearly define the type of activity that is normal? In other words, business as usual versus activity that is anomalous and may be risky to the organization? Are you taking that risk-based approach to privileged account security? Do you have a solution that will prevent attackers from gaining access to critical systems and applications that are holding sensitive personal EU data?

Blocking unauthorized access to personal data helps you prevent reportable data breaches in the first place. As much as possible, automatic detection and blocking access should be a proactive function built into your Privileged Account Security solution. This type of early detection is different than perimeter defenses, which are monitoring and security controls focused on protecting your systems from attacks from the outside. A strong Privileged Account Security strategy focuses on proactively detecting threats to personal data from the inside out. Real-time profiling and analyzing individual privileged session behavior within the network can help an organization detect breaches early, with prioritized alerts, when abnormal activity is detected.

In our second GDPR advisory, we outline a list of proactive detection and privileged access accounting checkpoints to help you prepare for GDPR notification and reporting requirements. To learn more about detecting and responding rapidly to breaches, contact your sales representative, view our on-demand webinar series, or visit here to learn how CyberArk can help your organization with GDPR readiness.

Corporate legal counsels, technology providers, IT professionals – and anyone else paying attention to the General Data Protection Regulation (GDPR) – would undoubtedly agree that the requirements within the 99 Articles of the regulation present a laundry list of necessary changes many organizations will need to make to avoid non-compliance. The one we want to highlight in this blog calls for an adequate level of protection to be implemented for cross-border data transfers. Article 45, ‘Transfers on the basis of an adequacy decision’ specifically states:

“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”

This complicates things in the world of international commerce. Here in the United States, the Department of Commerce has nixed the U.S.-EU Safe Harbor Framework (following a decision by the Court of Justice of the European Union) and replaced it with a new framework, the EU-U.S. Privacy Shield. This new framework better aligns to the very detailed and specific requirements of GDPR, and it will allow companies within the United States and the European Union to successfully execute transatlantic data transfers.

Any country, governmental body or organization that turns a blind eye to this requirement will subsequently have their respective data transfers blocked by this legislation. Most importantly, by not having an ‘adequate level of protection,’ basically means the chances of being subjected to a personal data breach increase considerably. Which as we all now know, introduces severe financial and reputational consequences.

With CyberArk The Privileged Account Solution Version 10, we’ve made significant enhancements that enable customers to better meet the requirements in storing session recordings for cross-border data transfers. Our customers now have the ability to securely store privileged session recordings on regional-based storage, as opposed to storing them in a Digital Vault, which might be globally dispersed or more likely, outside the European Union. This is especially important for monitored database sessions, where client data has the potential to be revealed as a consequence of a command executed by an administrator.

This change applies to both processor and controller requirements and benefits customers that have a need to lock down their session recordings and ensure they do not leave a specific region (seeFigure 1). This new capability goes beyond the requirements of GDPR and equally applies to local secrecy acts such as the Singapore Banking Secrecy Act, which prohibits (without permission) the export of client data outside of the region.

It’s important for organizations to only provide authorized users with access to these recordings, ensuring that any playback processes are consistent with the data isolation requirements. Additionally, it’s critical to protect the integrity of these privileged session recordings for digital forensics in the case they should ever be needed for a legal proceeding. To support the security, integrity and validity of these session recordings, the following capabilities have been enforced with CyberArk Privileged Account Solution Version 10:

Secure Communication – The communication between the Privileged Session Manager, the storage devices and the CyberArk user interface for the recordings replay is performed via a secure protocol.

Managed Authorization – Only authorized users in the Vault will be able to access the session recordings through CyberArk systems.

Searchable Audit Records and Streamlined Video Replay – The actual location of the video is transparent to the authorized user (e.g. auditors and reviewers) and provides the exact same user experience for both vault-stored recordings and externally stored recordings.

Maintenance Users Protection – The CyberArk Privileged Account Security Solution will be used for authorizing and monitoring maintenance users’ access to the secure storage.

These enhancements show CyberArk’s dedication to helping organizations avoid non-compliance with GDPR. The CyberArk Privileged Account Security Solution can be critical for your organization to advance securely in an increasingly dynamic, competitive business environment. Be sure to visit our website for more information on how CyberArk solutions can help support your GDPR strategy today.

The General Data Protection Regulation (GDPR) goes into force on May 25, 2018, yet despite the rapidly approaching deadline, many organizations are still either confused about or unprepared for this sizable piece of legislation.

To help organizations better prepare for the upcoming changes, while underscoring the strategic business value of securing access to personal data, we’ve developed a GDPR Advisory series, which is now available. The series outlines practical steps for meeting GDPR requirements for protecting personal data, including protecting access, responding rapidly, assessing risk and demonstrating compliance.

Protecting the Pathways to Personal Information

As we’ve covered in previous posts, a cyber attacker typically follows the privileged pathway leading to an organization’s most sensitive assets and information. To protect your organization, you must tightly control your pathways to privileged access, so unauthorized users are blocked on the spot—whether they are malicious or mistaken.

Privileged “users” including employees and third parties—even certain applications or processes—all have access to this pathway, and therefore, personal data. You are now responsible for all of these under GDPR.

Our first GDPR Advisory delves into the specific articles within the GDPR legislation that outline who, or what, can (and cannot) have privileged access to personal data. For example:

GDPR Article 25 requires protection of personal data by design and by default: We’ll explore how implementing the “least privilege principle” can limit user access to the minimal level of data that allows normal business functions and significantly strengthens operational control over access to personal data.

GDPR Article 32(2) says organizations must protect against the accidental or unlawful destruction, loss, alteration or access to personal data: We’ll outline proactive steps you can take to comply with this article, including placing privileged credentials in a secure digital vault and enforcing individual accountability for each action taken using those credential—at any point in time.

Strong privileged account security requires more than the management of individual users’ passwords. You also need to comprehensively isolate, control and monitor privileged access across systems, databases and VMs. We’ll explore an actionable “checklist” of steps to secure system access and stop attackers and malicious insiders from leveraging compromised credentials to bypass monitoring solutions and security controls.

Read the full GDPR Advisory here. To learn more about protecting your pathways to personal information, contact your sales representative or visit here to learn how CyberArk can help your organization with GDPR readiness.

The General Data Protection Regulation (GDPR) is said to be one of the most important changes to data privacy regulations within the past two decades. The primary purpose of GDPR is to reinforce the personal data rights for all individuals’ residing within the European Union, and subsequently harmonizing the way member states enforce data protection across this geography. The fact of the matter is, most people today do not trust their personal data in the hands of businesses – and honestly, who can blame them?

Significant personal data breaches continue to dominate headlines. Most organizations are not taking security seriously enough with some even admitting they are well aware of existing security gaps but deliberately look the other way to keep business costs down and maintain a higher profitability. As we’ve seen over the past few months, the media has highlighted both the financial and reputational implications with being caught in non-compliance – and for good reason.

GDPR will affect organizations globally. If an organization is found to be negligent, they’ll face fines north of €20 million or 4 percent of total global turnover (whichever greater of the two). Moreover, there are equally as serious reputational risks such as significant brand damage and loss of both consumer trust and loyalty. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.1 This begs a very important question: is your enterprise really ready?

What to Know and Understand

Understand where personal data resides within your organization. Personal data is defined as any subject’s name, address, localization, online identifier, health information, income, cultural profile and more. Enterprises should map their data flows in a prioritized manner, starting from the top down with whatever is considered to be of high risk and with whatever business processes involve gathering, processing and protecting sensitive personal data. CyberArk solutions will help an enterprise lock down the access both human and non-human users have to critical systems and applications, but before you can do that, you really need to first identify where exactly the data resides within your organization. Additionally, any personal data that no longer serves a legitimate business purpose needs to be deleted. Backups and duplicate copies of personal data files might land you in the hot seat if you don’t manage your data subjects’ ‘right to erasure’ correctly.

Get a handle on your supply chain. One important change in GDPR that was absent from its mandated predecessor (the Data Protection Directive) is the new direct legal obligations for data processors. This change brings potential litigation and damage claims directly from data subjects, whereas before, data processors really only needed to concern themselves with existing contractual agreements they had in place with their data controllers. Once GDPR goes into enforcement, both controllers and processors will be required to prove they were not held responsible in the event of a breach. You might have the most comprehensive GDPR strategy in place with all the necessary tools and components to protect your personal data – but there still remains substantial risk residing within your third-party vendor supply chain. There needs to be a greater degree of transparency across the supply chain, with a shared responsibility for securing personal data.

Additional Considerations

Given that GDPR is a very complex and far-reaching regulation that cannot be solved overnight, it’s best to not boil the ocean. Take a pragmatic approach. One of the first and most critical steps for enterprise-level organizations is to partner with an advisory consultant. Most consultancies offer GDPR-specific workshops, detailed assessments, regular testing and actionable guidance. They’ll work with your team to put in place the necessary personnel, processes and technology that align with whatever is your most optimal strategy to maintain compliance with this regulation.

I previously discussed five ways CyberArk can help you address GDPR, highlighting some of the key articles within the regulation and how CyberArk can help mitigate risk against non-compliance. It’s well understood that complying with GDPR cannot be achieved with a single security vendor – it’s a team effort. CyberArk customers also have access to our C3 Alliance Technology Program, which provides a wide range of integrations with security solution providers from around the world. These technology integrations enable an organization to realize a much more comprehensive GDPR solution, as well as bring more value to existing security investments.

The Society of Worldwide Interbank Financial Telecommunication (SWIFT) provides a community of global financial institutions the ability to exchange sensitive information relating to international financial transactions. This vast network—over 11,000 customers across 200+ countries—has become an attractive, high-value target for cyber attackers, as evidenced by high-profile breaches including the infamous Bangladesh Central Bank heist. By capturing legitimate SWIFT operator credentials while employing increasingly sophisticated hacking techniques, attackers continue to pilfer hundreds of millions from banks around the world.

Protecting these credentials from reaching the hands of criminals is an essential step in preventing future attacks. To that end, SWIFT’s Customer Security Programme has established a secure framework and baseline of accountability for customers of SWIFT. This framework has a strong emphasis on privileged account security. Mandatory and advisory security controls must be implemented across the community, and organizations must prove compliance with these regulations by January 18, 2018.

The SWIFT security framework is comprised of 27 controls based on three overarching objectives, and there are about five months remaining to prove compliance. Fortunately, CyberArk customers can address a majority of these controls. CyberArk provides the capabilities needed to meet requirements around securing the organization’s environment, knowing “who” and “what” has access to critical systems and applications as well as detecting and responding to high-risk activity in operator sessions. Following is a high-level look at how CyberArk can help organizations to meet these core objectives:

Secure Your Environment: Risk comes from outside and within—determined, malicious “outsiders” and careless or disgruntled “insiders.” Either can wreak havoc on a financial institution. Unmanaged privileged credentials and accounts are the common vulnerability in both cases. The CyberArk Privileged Account Security Solution can protect and control access to critical systems and infrastructure within a local SWIFT environment. By removing local administrative rights and using CyberArk Endpoint Privilege Manager, organizations can provide users with non-administrative access and on-demand session elevation when needed based on defined policies. Multiple layers of built-in security serve to protect all privileged account operator credentials, including passwords and SSH keys (which may be used to access critical UNIX/Linux operating systems).

Know and Limit Access: The CyberArk Privileged Session Manager enables organizations to isolate, monitor, record and control privileged sessions on critical systems. The solution acts as a jump server and single access control point enabling organizations to have a “secure zone” to protect the local SWIFT infrastructure. Real-time privilege session monitoring enables security teams to detect suspicious activity as soon as it occurs and remotely terminate the session to minimize any potential damage. Additionally, searchable audit logs and session recordings are stored in a tamper-proof vault to prevent privileged users from editing or deleting their history. Security and audit teams can easily review these recordings and audit logs to locate the exact moment an event occurred and gain a clear understanding of the scope and severity of an incident.

Detect and Respond: Attackers target and compromise legitimate, trusted credentials within the network. This makes detecting their abuse a serious challenge when attempting to detect credential theft attacks. Many institutions also struggle to pinpoint attempts to bypass enforced controls by internal or external threat actors. To help overcome these challenges, CyberArk Privileged Threat Analytics implements detection capabilities around the abuse, misuse and theft attacks on privileged credentials. When combined with the CyberArk Privileged Account Security Solution, CyberArk can flag high-risk, anomalous activity within local SWIFT environments with a fully detailed and searchable audit trail of privileged activity.

To learn more about how CyberArk can help your organization to prepare for the January 2018 SWIFT security framework compliance deadline, check out the webinar replay ‘Fast Track to SWIFT Compliance‘